From c6d6043053274f1cf25a7bcbcf8ee57a09a7fd2b Mon Sep 17 00:00:00 2001
From: Magnus Olsen <magnus@greatlord.com>
Date: Sat, 10 May 2008 18:07:41 +0000
Subject: [PATCH] fixing a memory overwrite bug I miskate intrudes the private
 size of stackobject list contain 22 object, and we do not want mix up the
 private size and the user mode size for different version.

svn path=/trunk/; revision=33415
---
 reactos/subsystems/win32/win32k/include/object.h   | 4 ++++
 reactos/subsystems/win32/win32k/objects/stockobj.c | 7 ++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/reactos/subsystems/win32/win32k/include/object.h b/reactos/subsystems/win32/win32k/include/object.h
index 08673bbf7fe..cd02d1b1325 100644
--- a/reactos/subsystems/win32/win32k/include/object.h
+++ b/reactos/subsystems/win32/win32k/include/object.h
@@ -8,6 +8,10 @@
 #define FIRST_USER_HANDLE 0x0020  /* first possible value for low word of user handle */
 #define LAST_USER_HANDLE  0xffef  /* last possible value for low word of user handle */
 
+/* Comments from reserve two extra entry for the stock default bitmap  this is what Windows does too 
+ * and verify if it is true it is not. in XP/2003 it is 22 stockobjects for each bitmap
+ */
+#define PRV_STOCK_LAST 22
 
 #define USER_HEADER_TO_BODY(ObjectHeader) \
   ((PVOID)(((PUSER_OBJECT_HEADER)ObjectHeader) + 1))
diff --git a/reactos/subsystems/win32/win32k/objects/stockobj.c b/reactos/subsystems/win32/win32k/objects/stockobj.c
index bdc125ae749..20c624bf94a 100644
--- a/reactos/subsystems/win32/win32k/objects/stockobj.c
+++ b/reactos/subsystems/win32/win32k/objects/stockobj.c
@@ -107,10 +107,10 @@ static LOGFONTW DefaultGuiFont =
 { 11, 0, 0, 0, FW_NORMAL, FALSE, FALSE, FALSE, ANSI_CHARSET,
   0, 0, DEFAULT_QUALITY, VARIABLE_PITCH | FF_SWISS, L"MS Sans Serif" }; //Bitstream Vera Sans
 
-/* Comments from wine reserve two extra entry for the stock default bitmap  this is what Windows does too 
- * and verify if it it is true it is not. in XP/2003 it is 22 stockobjects for each bitmap
+/* Comments from reserve two extra entry for the stock default bitmap  this is what Windows does too 
+ * and verify if it is true it is not. in XP/2003 it is 22 stockobjects for each bitmap
  */
-#define NB_STOCK_OBJECTS (STOCK_LAST + 3)
+#define NB_STOCK_OBJECTS (PRV_STOCK_LAST)
 
 static HGDIOBJ StockObjects[NB_STOCK_OBJECTS];
 
@@ -139,6 +139,7 @@ CreateStockObjects(void)
   StockObjects[DC_PEN]    = IntGdiExtCreatePen(BlackPen.lopnStyle, BlackPen.lopnWidth.x, BS_SOLID, BlackPen.lopnColor, 0, 0, 0, NULL, 0, TRUE, NULL);
   StockObjects[NULL_PEN] = IntGdiExtCreatePen(NullPen.lopnStyle, NullPen.lopnWidth.x, BS_SOLID, NullPen.lopnColor, 0, 0, 0, NULL, 0, TRUE, NULL);
 
+  StockObjects[20] = NULL;
   StockObjects[DC_BITMAP] = IntGdiCreateBitmap (1, 1, 1, 1, NULL);
 
   (void) TextIntCreateFontIndirect(&OEMFixedFont, (HFONT*)&StockObjects[OEM_FIXED_FONT]);